Overview
overview
10Static
static
30d301494f1...b9.exe
windows10-2004-x64
1017123cde24...76.exe
windows10-2004-x64
103513e5a1be...0b.exe
windows10-2004-x64
103548eb3ee0...c3.exe
windows10-2004-x64
1037bb007e1a...b5.exe
windows10-2004-x64
103b8019115c...d8.exe
windows10-2004-x64
103ba16fdd2a...8a.exe
windows10-2004-x64
103c47d4d72a...e8.exe
windows10-2004-x64
105598d9028e...fd.exe
windows7-x64
105598d9028e...fd.exe
windows10-2004-x64
105d95f47641...f4.exe
windows10-2004-x64
1061d857a524...a5.exe
windows10-2004-x64
1064f004d4a2...36.exe
windows10-2004-x64
107787b07a17...49.exe
windows10-2004-x64
107cc3996906...7e.exe
windows10-2004-x64
10825d0619a8...ce.exe
windows10-2004-x64
109e6f3fd3f7...c2.exe
windows10-2004-x64
10a49c96afc3...92.exe
windows10-2004-x64
10e2945d600c...9e.exe
windows10-2004-x64
10eb8cedd00b...3b.exe
windows10-2004-x64
10f9bdee7f3d...5b.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
Resource
win10v2004-20240426-en
General
-
Target
f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
-
Size
632KB
-
MD5
d08c8cb40ccb8a4d4ed7085f0fcac3e5
-
SHA1
2475d4395f39cbc5a9937537078fe78bca37248b
-
SHA256
f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b
-
SHA512
fafa3c5059b04bded85ac86a46c1dfdcbc2e7c781d573248e5e7008d6e5a751eeb4764244cc8aa0d76a59adf21fa8837e8c8a8f195d835674866d22039097cf3
-
SSDEEP
12288:4MrZy90XTnuGCUTLvPQdsFfPay8HC7UZTcsCJ+53D//Uw94d6Yqlrf8eCSXT:ByCHx/XQ0fPa67UVcDJ+53L/Uw94d2lj
Malware Config
Extracted
redline
jokes
77.91.124.82:19071
-
auth_value
fb7b36b70ae30fb2b72f789037350cdb
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral21/files/0x0008000000023435-19.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral21/files/0x0007000000023436-23.dat family_redline behavioral21/memory/3564-24-0x0000000000790000-0x00000000007C0000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1728 y2397778.exe 736 y4776523.exe 3320 m0121212.exe 3564 n3001777.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y2397778.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y4776523.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3524 wrote to memory of 1728 3524 f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe 82 PID 3524 wrote to memory of 1728 3524 f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe 82 PID 3524 wrote to memory of 1728 3524 f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe 82 PID 1728 wrote to memory of 736 1728 y2397778.exe 83 PID 1728 wrote to memory of 736 1728 y2397778.exe 83 PID 1728 wrote to memory of 736 1728 y2397778.exe 83 PID 736 wrote to memory of 3320 736 y4776523.exe 84 PID 736 wrote to memory of 3320 736 y4776523.exe 84 PID 736 wrote to memory of 3320 736 y4776523.exe 84 PID 736 wrote to memory of 3564 736 y4776523.exe 85 PID 736 wrote to memory of 3564 736 y4776523.exe 85 PID 736 wrote to memory of 3564 736 y4776523.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe"C:\Users\Admin\AppData\Local\Temp\f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2397778.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4776523.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m0121212.exe4⤵
- Executes dropped EXE
PID:3320
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3001777.exe4⤵
- Executes dropped EXE
PID:3564
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
530KB
MD55061a0d7d94d44fc5bbb962df410c108
SHA10cafcc2ac6f78b0210c7ce506058358863b67488
SHA256094d87cd8fd3cc88f324f680eac4e338bb582eb504eb5b68606ba35d6d387576
SHA512a17a41883fb3eb27288058d30c9a0c0b0a1b6297b2870c635b2c687ac38b841459ae50eb6ea92e61f016f0f09990775433071432aa2284c5c4d3ae15be3e5703
-
Filesize
272KB
MD58eba0485ac0a7780fa377c00808ad6b8
SHA1c936a0476c63df488bcf97053ff5809f5871b363
SHA256a5bd07211cadf84bce70fd372c65b356ec90df6be3f201eee00943c9406e5c79
SHA512490e67f41d00cc4ec7c76e91ff2b98ce664a74d307affb14637d02203a3410ba73e4b5302d4643350af44bed00cc50ad1d6dc0670e9e452a93ec6fc80cd8ff9b
-
Filesize
140KB
MD592ad6c4dea02f75c3599d4c1f737b929
SHA1193e468583e2793a03c2fbfa111237a8a81a71f9
SHA2568b8bac8aced57e0f790a95915537402dee9d80e4ca3f1a6e96662df86a7b4dcf
SHA512a1cba18844e3b1aa618a32768958b96d7ad58dffef5aa4e14eafb1ed4a32d74a1384b95590f5689d65115fe2221faca244301e8d641caedb1c77f5bc1904f95a
-
Filesize
174KB
MD506d07aa95fc4f476fe3813ee31e1b54c
SHA104680450a32772111945b06876395f45af500cf1
SHA256090cf3a3f853381105376d3a1d12351c503000f2e8742359c0cb179cb82508fc
SHA5123290f1d11b6b4c891179bb08a6f7ce38088e5a5b851eba167c6807ba5938af6bc33ac7a4b895a97e4896cb9fee49523d0686b0913dc5345e9286b30fcd292568